Chalk is now officially open-source

Chalk documentation

Chalk Is Now Officially Open Source

It’s finally here, we have just released the source code for our open-source project Chalk™.

All docs are also available from the command line.

When we started the company last year, we first interviewed over a hundred CSOs and AppSec leaders to understand what their biggest unsolved problems were. It always led back to people not being able to know what to work on now, next or never. 

When we unpacked all the conversations, we had learned that there was a visibility gap for everyone.  Software engineers don't have visibility into the infrastructure, and infrastructure engineers don't have visibility into the development process. We kept hearing it was slow and frustrating, and often impossible to get the information they need to do their jobs.

We also learned that security engineers don't have visibility into the infrastructure or into the development process. They are flying blind, unable to help the team decide what to work on and effectively manage risk.

Chalk is our free, open-source solution to those problems. 

You add a single line to your build script and we will automatically collect and inject metadata into every build artifact. Source code, binaries and containers. You can actually alias docker for zero changes, zero interruption and zero work for your developers. 

We can even auto-deploy collection tools such as SBOM generators, and built-in Syft as a default so you don’t have to do anything. We have a How-to on the documentation site to generate SBOMs across your code repo using the CycloneDX specification and send them to a central reports destination so you effectively have an SBOM registry. 

How-to create and maintain an SBOM registry

You use chalk as a compliance easy button, not only generating SBOMs, adding code provenance information and digitally signing it, before sending it to a location of your choice as a report, as a big bonus, with no extra effort, you can be SLSA level 2 compliant, before people start officially requiring SLSA level 1 compliance.

How-to create software security supply chain compliance reports automatically

And to top it all you can use Chalk to create a real-time application inventory, collecting data about the code, repos and branches being deployed and who the code owners are.  No more scratching around in the sand when an incident occurs or a noisy scanning tools claims there is a vulnerability in a repo. 

How-to Create a real-time application inventory

There are many more how-to guides either in drafts or in our heads. 

Chalk has been in the hands of a few design partners for a few months, and is deployed in production in some very large companies indeed. You guys have been awesome and we owe you both gratitude, and lots of beer.

And don’t take my words for how cool it is. 

Chalk is an amazing open source security tool that helps to improve software security for everyone.

Omkhar Arasaratnam - Executive Director of the OpenSSF and former VP of Infrastructure Security at Google. 

A genuine shortcut to being able to know what's actually going on across the software engineering lifecycle. 

Jason Chan - Former Head of Security at Netflix

I just wish we had this years ago: it is going to provide invaluable insights into what's going on in Cloud distributed systems.

Marco Massenzio - Principal Engineer at Cruise Automation, formerly Apple and Google.

Chalk is a ‘must have’ tool for gaining visibility into the security of your software and infrastructure stack.

Gerhard Eschelbeck - CISO at Kodiak Robotics and former CISO at Google 

Chalk is going to have a huge impact on how security teams are able to prioritize what they work on.

Amit Yoran - CEO of Tenable and former National Cyber Security Director at the Department of Homeland Security

Chalk is an easy button to solve the visibility gap, and our cloud platform makes it even easier. It is designed for enterprise deployments, and provides additional functionality including prebuilt configurations to solve common tasks, prebuilt integrations to enrich your data, a built-in query editor, an API and more.

There will be both free and paid plans. We don’t anticipate that being in general availability until early 2024, you can join the waiting list for early access. There are already a number of design partners using it at scale. 

Along with the release of Chalk comes a spiffy new website, and you know it’s spiffy if you have seen our previous ones

And we now have total clarity (excuse the pun) about what we are solving. 

Crash Override is total visibility of your software engineering lifecycle. Designed for platform and security teams.

As always we post our content to Linkedin for feedback and comments. You can find this article at here.

Crash Override documentation